DSA-2021-243: Dell PowerScale OneFS Contains Security Update for Multiple Vulnerabilities.
Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36350 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors. A remote unauthenticated attacker may potentially exploit this vulnerability and bypass one of the factors of authentication. | 5.9 | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Third-party Component | CVEs | More information |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 |
| Intel Platform | Multiple CVEs | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00463.html |
| cURL | Multiple CVEs | https://curl.se/docs/vuln-7.78.0.html |
| Python | CVE-2021-23336 | https://nvd.nist.gov/vuln/detail/CVE-2021-23336 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36350 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors. A remote unauthenticated attacker may potentially exploit this vulnerability and bypass one of the factors of authentication. | 5.9 | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Third-party Component | CVEs | More information |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 |
| Intel Platform | Multiple CVEs | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00463.html |
| cURL | Multiple CVEs | https://curl.se/docs/vuln-7.78.0.html |
| Python | CVE-2021-23336 | https://nvd.nist.gov/vuln/detail/CVE-2021-23336 |
Affected Products & Remediation
| CVEs Addressed |
|
Updated Versions | Link to Update | |
| CVE-2021-3712 (OpenSSL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
|
| 9.3.0.x | Available from December (or later) RUP | |||
| 9.1.0.x, 9 and2.1.x | Download and install the latest RUP | |||
| Multiple CVEs (Intel) | All supported OneFS versions | Download and install the latest NFP for your node types | ||
| Multiple CVEs (cURL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-23336 (Python) | 8.2.1.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.x, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-36350 (PowerScale OneFS) | 8.2.1.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP |
| CVEs Addressed |
|
Updated Versions | Link to Update | |
| CVE-2021-3712 (OpenSSL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
|
| 9.3.0.x | Available from December (or later) RUP | |||
| 9.1.0.x, 9 and2.1.x | Download and install the latest RUP | |||
| Multiple CVEs (Intel) | All supported OneFS versions | Download and install the latest NFP for your node types | ||
| Multiple CVEs (cURL) | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-23336 (Python) | 8.2.1.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.x, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | |||
| CVE-2021-36350 (PowerScale OneFS) | 8.2.1.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | ||
| 9.3.0.x | Download and install December (or later) RUP | |||
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP |
Workarounds & Mitigations
| CVEs Addressed | Workarounds or Mitigations |
| CVE-2021-3712 (OpenSSL) | Avoid granting the ISI_PRIV_AUTH_SSH RBAC role to non-administrators. |
| Multiple CVEs (Intel) | None |
| Multiple CVEs (cURL) | None |
| CVE-2021-23336 (Python) | None |
| CVE-2021-36350 (PowerScale OneFS) | Avoid configuring DUO for groups with spaces in their name, until you have patched your OneFS installation. |
Revision History
| Revision | Date | Description |
| 1.0 | 2021-12-06 | Initial Release |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFS, Product Security InformationArticle Properties
Article Number: 000194157
Article Type: Dell Security Advisory
Last Modified: 15 Feb 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.